Cisco®
Oracle
CompTIA
Checkpoint
ISC
EC-Council
EXIN
Fortinet
ITIL®
Juniper
Microsoft
VMware
Avaya
SAP
Google
Salesforce
Amazon
Palo Alto Networks
ISC2
Splunk®
All Vendors
  2. Home
  3. Exams
  4. Microsoft
  5. AZ-104

Free Microsoft AZ-104 Exam Questions (page: 37)

Page 13 of 69
PDF with 553 Questions

You have an Azure subscription that contains the resources shown in the following table.


You need to assign Workspace1 a role to allow read, write, and delete operations for the data stored in the containers of storage1.
Which role should you assign?

  1. Storage Account Contributor
  2. Contributor
  3. Storage Blob Data Contributor
  4. Reader and Data Access

Answer(s): C

Explanation:

Storage Blob Data Contributor
Read, write, and delete Azure Storage containers and blobs. Incorrect:
Storage Account Contributor
Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.
Reader and Data Access
Let's you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys.
* Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles



You have an Azure subscription named Subscription1 that contains virtual network named VNet1. VNet1 is in a resource group named RG1.
A user named User1 has the following roles for Subscription1: Reader
Security Admin Security Reader
You need to ensure that User1 can assign the Reader role for VNet1 to other users. What should you do?

  1. Remove User1 from the Security Reader and Reader roles for Subscription1. Assign User1 the Contributor role for Subscription1.
  2. Assign User1 the Contributor role for VNet1.
  3. Assign User1 the Owner role for VNet1.
  4. Assign User1 the Network Contributor role for RG1.

Answer(s): C

Explanation:

Owner
Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.
Incorrect:
Not A, Not B: Contributor
Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.
Not D: Network Contributor
Let’s you manage networks, but not access to them.


Reference:

https://learn.microsoft.com/en-us/azure/role-based-access-control/rbac-and-directory-admin-roles



You have a Microsoft Entra tenant that contains the groups shown in the following table.


You purchase Microsoft Entra ID P2 licenses. To which groups can you assign a license?

  1. Group1 only
  2. Group1 and Group3 only
  3. Group3 and Group4 only
  4. Group1, Group2, and Group3 only
  5. Group1, Group2, Group3, and Group4

Answer(s): B

Explanation:

Licenses can be assigned to any security group in Microsoft Entra ID.


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/licensing-whatis-azure-portal



HOTSPOT (Drag and Drop is not supported)
You have a Microsoft Entra tenant.
You need to create a Microsoft 365 group that contains only members of a marketing department in France.
How should you complete the dynamic membership rule? To answer, select the appropriate options in the answer area.
NOTE: Each correct answer is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: user.department
The following example illustrates a properly constructed membership rule with a single expression: user.department -eq "Sales"
Box 2: and
Both need to be true.
Note: Rules with multiple expressions
A group membership rule can consist of more than one single expression connected by the -and, -or, and -not logical operators. Logical operators can also be used in combination.
The following are examples of properly constructed membership rules with multiple expressions: (user.department -eq "Sales") -or (user.department -eq "Marketing")
(user.department -eq "Sales") -and -not (user.jobTitle -contains "SDE")
Box 3: -eq
Supported expression operators
The following table lists all the supported operators and their syntax for a single expression. Operators can be used with or without the hyphen (-) prefix. The Contains operator does partial string matches but not item in a collection matches.
* Equals Syntax: -eq
* Etc. Reference:
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/groups-dynamic-membership



HOTSPOT (Drag and Drop is not supported)
You have a Microsoft Entra tenant.
You need to modify the Default user role permissions settings for the tenant. The solution must meet the following requirements:
Standard users must be prevented from creating new service principals.
Standard users must only be able to use PowerShell or Microsoft Graph to manage their own Azure resources.
Which two settings should you modify? To answer, select the appropriate settings in the answer area.
NOTE: Each correct answer is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Users can register applications
Standard users must be prevented from creating new service principals.
In the Microsoft Entra admin center, you can restrict the ability of non-privileged users to create service principles by setting the "Users can register applications" option to "No" in the User settings blade. This will prevent non-privileged users from creating new applications or service principles in the Microsoft Entra tenant, while still allowing privileged users to perform these actions if necessary.
Note: Owned enterprise applications
Users can perform the following actions on owned enterprise applications. An enterprise application consists of a service principal, one or more application policies, and sometimes an application object in the same tenant as the service principal.
Box 2: Administration portal, Restrict access to Microsoft Entra administration portal
Standard users must only be able to use PowerShell or Microsoft Graph to manage their own Azure resources. From the exhibit we see: Administration portal, Restrict access to Microsoft Entra administration portal: No


Reference:

https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions



HOTSPOT (Drag and Drop is not supported)
You have an Azure subscription named Sub1 that contains the blob containers shown in the following table.


Sub1 contains two users named User1 and User2. Both users are assigned the Reader role at the Sub1 scope.
You have a condition named Condition1 as shown in the following exhibit.


You have a condition named Condition2 as shown in the following exhibit.


You assign roles to User1 and User2 as shown in the following table.


For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
User1 has Reader role for the subscription.
User1 is a Storage Blob Data Reader in the scope of the subscription, with Condition1. Condition1 is true of the action is ../containers/blobs/read.
Box 2: Yes
Same logic as for Box 1.
Box 3: No
For User2 Condition2 applies.
Condition2 is true if action is write, or container name includes character 2. User2 cannot read blob1.



Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a Microsoft Entra tenant named contoso.com.
You have a CSV file that contains the names and email addresses of 500 external users. You need to create a guest user account in contoso.com for each of the 500 external users. Solution: You create a PowerShell script that runs the New-MgUser cmdlet for each user.
Does this meet the goal?

  1. Yes
  2. No

Answer(s): B

Explanation:

Instead use the New-AzureADMSInvitation cmdlet which is used to invite a new external user to your directory.
Correct Solution: You create a PowerShell script that runs the New-AzureADMSInvitation cmdlet for each external user.


Reference:

https://docs.microsoft.com/en-us/powershell/module/azuread/new-azureadmsinvitation



HOTSPOT (Drag and Drop is not supported)
You purchase a new Azure subscription.
You create an Azure Resource Manager (ARM) template named deploy.json as shown in the following exhibit.


You connect to the subscription and run the following command.
New-AzDeployment –Location westus –TemplateFile “deploy.json”
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:

  1. See Explanation section for answer.

Answer(s): A

Explanation:



Box 1: Yes
Two resource groups are created in the copy index loop. One third is created in a separate statement.
We see:
"count": 2
Note: Syntax
Add the copy element to the resources section of your template to deploy multiple instances of the resource. The copy element has the following general format:
"copy": {
"name": "<name-of-loop>", "count": <number-of-iterations>, "mode": "serial" <or> "parallel",
"batchSize": <number-to-deploy-serially>
}
The name property is any value that identifies the loop. The count property specifies the number of iterations you want for the resource type.
Box 2: No
The resource groups created in the copyindex loop are named RGS1 and RGS2. The third resource group is named according to the statement:
"Name": "[concat('RGroup', length(parameters)('obj1')))] We see obj1 with four items (PropA, PropB, PropC, Prop4)
Length of obj1 would be 4, not 5.
Box 3: Yes
In the copy index loop we have "location": "eastus"
In the separate statement to create the third resource group we see:
We see:
"location": [last(variables('var1'))]
And var1 defined as:
"var1": [ "westus" "centraus" "eastus"
]
The location would again be eastus. Note:
The New-AzDeployment cmdlet adds a deployment at the current subscription scope. This includes the resources that the deployment requires.
To add a deployment at subscription, specify the location and a template. The location tells Azure Resource Manager where to store the deployment data.


Reference:

https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/copy-resources https://learn.microsoft.com/en-us/powershell/module/az.resources/new-azdeployment



Viewing page 37 of 69



Post your Comments and Discuss Microsoft AZ-104 exam prep with other Community members:

AZ-104 Exam Discussions & Posts